It has been close to four years since the birth of the Microsoft Active Protections Program (MAPP). The program is meant to give security vendors vulnerability information early so that they can provide updated protections to customers, and up until recently, seems to have functioned without a hitch.
However, the leak of exploit code for one of the Remote Desktop Protocol (RDP) vulnerabilities (CVE-2012-0002) patched by MS12-020 has underscored that even vulnerability sharing programs can backfire. Just what happened is still under investigation, but so far, here’s what is known: in May 2011, security researcher Luigi Auriemma discovered the bug. He passed the vulnerability information on to HP’s Zero Day Initiative (ZDI), which in turn handed it off to Microsoft that August. Microsoft eventually shared the information with its MAPP partners, and somehow exploit code for the bug ended up on a Chinese download site.
“In principal, we all agree that the infosec community needs to be more willing to talk, be open and share data to improve security,” opined Andrew Storms, director of security operations at nCircle. “In practice, we all still want to keep our butts covered.”
“The value of MAPP, despite any leaks, is well worth the risk,” he added. “The ability to get active protection for known attacks out to customers every month provides enterprise IT with some much needed breathing room. Many large enterprises can take as much as 60 days to roll out the Microsoft patch bundle each month -- others take even longer. A 24-hour grace period can make a huge difference in security risk, especially with vulnerabilities like MS12-020 that have a major impact on enterprises.”
According to security researcher Dan Kaminsky, a quick scan of the Internet on March 16 showed estimates of as many as five million endpoints using the RDP protocol, underscoring the importance of applying the patch.
“Customers aren't great about patching, so telegraphing vulnerabilities to security vendors so they can develop a 'virtual patch' ahead of the MS 'official patch' makes a lot of sense…It is definitely harder to keep a secret when more people know about it, but this process should work,” said Eric Ogren, principal analyst at the Ogren Group.
Microsoft of course is just one link in the chain when it comes to vulnerability sharing. When news of the leak first broke, ZDI - which purchases security bugs from researchers and works with vendors when it’s time for disclosure – made a point of saying it was confident the leak did not come from its end.
“ZDI sends the details off to the vendor encrypted and from that point it is out of our hands,” Aaron Portnoy, manager of security research at the Zero Day Initiative, told SecurityWeek. “We trust that vendors are able to responsibly deal with the information reported to them. We don't have any control over how they operate internally.”
Yunsun Wee, director of the Trustworthy Computing Group at Microsoft, said it is actively investigating the disclosure of details of the vulnerability and will take “the necessary actions to protect customers.” RDP is not enabled by default on any Windows system, and systems that do not have it operating are not at risk.
“Given that a proof-of-concept code is publically available, we recommend customers apply the security update (MS12-020) as soon as possible to be protected,” Wee said in a statement.